#dev 2021-05-10

2021-05-10 UTC
samwilson, [jeremycherfas], ytqb[m], vilhalmer and ShadowKyogre joined the channel; ShadowKyogre left the channel
#
@AndreJaenisch ↩️ Wait. hentry? WebMention support? Or only microformats? (Which would be great on its own) To answer the question: IndieWeb! (twitter.com/_/status/1391650750493827073)
ShadowKyogre, [KevinMarks], samwilson, [dianoetic_net], [jeremycherfas], shoesNsocks and sparseMatrix joined the channel
#
sparseMatrix so what's the best OAUTH2 provider library for doing microformat stuffs with python?
#
sparseMatrix I'm looking at AuthLib
#
sparseMatrix errr, Authlib
#
sparseMatrix I'm wondering if maybe I could just integrate something like this into my environment: https://github.com/bbc/nmos-auth-server
#
sparseMatrix it's based on Authlib
#
Loqi [bbc] nmos-auth-server: AMWA NMOS BCP-003-02 Authorisation Server
#
sparseMatrix I have done the JWT thing before, but not necessarily via an OATH workflow
#
sparseMatrix I had some phone-home devices I set up 'dialing up' the mothership for purposes of accessing an api
#
@omc345 I finally set it up Webmentions with the help of @jkup's awesome post and repository. It's time to make it count! https://jonkuperman.com/gatsby-webmentions/ (twitter.com/_/status/1391776752477802497)
jeremych_, [jacky] and [KevinMarks] joined the channel
#
[KevinMarks] this is interesting https://locus.plus/
[tantek] joined the channel
#
[KevinMarks] a pushback against what3words, which is full of flaws
#
[tantek] and their fragile JS is broken on FF so meh
shoesNsocks and tomlarkworthy joined the channel
#
tomlarkworthy Is the backlink from Github profile strictly necissary to login someone?
#
tomlarkworthy If I am user https://tom.com/ with a rel=me link to https://github/tom. Then to login as https://tom.com/ I can just take https://tom.coms word?
#
tomlarkworthy like if the github authenticates the nominated profile user then thats basically the same as having an indie_auth link to the github oauth endpoint
#
aaronpk here's an attack on that: I can create a page not-tom.com with a rel=me link to github.com/tom, then trick tom in to visiting a link that starts the flow with not-tom.com, and since tom is logged in to github, he'd be logged in to the app as not-tom.com
#
[tantek] only a little worried what those domains resolve to 😬 — please use (not-)tom.example.com next time :)
#
tomlarkworthy its not an attack. I can create not-tom.example.com and have an authorization_endpoint that auto logins in for anybody, then we are in the same position, real tom is logged into the app as not-tom.example.com after being tricked
#
aaronpk i guess that's what .example is for too
#
tomlarkworthy critically I am not logged into the app as tom.example.com. Also the indielogin.com does summerize what is about to happen for this kind of reasons anyway
#
tomlarkworthy an indieauth endpoint does not require backlinks, it clearly is not totally necissary, though there is obvious value to having bidirection trust as its symettric, but for the puposes of login you only need it one way really.
#
aaronpk i thought there was another reason that [tantek] wrote up in the original RelMeAuth but now i can't find it
#
tomlarkworthy I am jsut trying to simplify things and the fact github only allows one homepage is annoying
#
aaronpk indielogin.com checks the github bio for additional links
#
[tantek] the bidirectional links also help as guard rails. to make it easier to detect and communicate user error, in a manner that enables the user to repair their error
#
tomlarkworthy 2 of 2 users I have so far talked to had an incompatible homepage already intheir github profile, so I think in practice this gets in the way, especially as Github only allows one link.
#
[tantek] for example, someone with multiple identities and respective github or other OAuth endpoints, could mistakenly login in as one somewhere where they intended to login as another if there was only a "simple" check of "do they have the logged in cookie on that thing over there"
#
tomlarkworthy but yeah, good workaround with profile scanning
#
[tantek] yeah the experience around here has been quite the opposite, most folks when they show up already have their personal site as the GitHub website
#
[tantek] and they typically also already have a link from their personal site to their GitHub profile (because that's a common UX, typically with an icon)
#
tomlarkworthy yeah this was the case for me
#
[tantek] so "all" they have to do is add "rel=me" to that link on their home page and they're done
#
[tantek] literally easier than any other distributed/federated identity system on the web or even proposed
#
tomlarkworthy yeah its good. Thats why I am here :)
#
tomlarkworthy but not having backlinks for silo oauth providers is even easier.
#
tomlarkworthy I don;t see a great reason for the backlinks here
#
[KevinMarks] locus.plus does need js as it's calling the location api, though it may barf if you're not in the uk when it does the grid conversion
#
tomlarkworthy BTW I ban http homepages becuase of MITM risks so Tantek's would not work with auth server.
#
tomlarkworthy this was 1 reason why I could not accept 1 of my users homepage
#
tomlarkworthy you can;t trust a http site so in my mind it is not a suitable substrate for login
#
[KevinMarks] is there an MITM risk from your server side? That's usually only a significant issue for client side
#
aaronpk there's a risk but it's very low
#
tomlarkworthy well it really depends where the user's webpage is hosted.
#
tomlarkworthy several governements are known to MITM their citizens
#
aaronpk as soon as you are concerned about government attacks you have to do better than public CA SSL too
#
tomlarkworthy just seems strange to put so much faith in DNS and then not secure the comms to those named servers with https
#
aaronpk SSL is already trivially broken on corporate networks
#
aaronpk so, as always, it depends on your threat model and what you are trying to protect against
#
tomlarkworthy yeah I guess the main vector is coffee shop wifi attacks but this is not an issue with server-to-server verification
#
[tantek] huh? what would mine not work with what server?
#
tomlarkworthy sorry my auth server does not accept http
#
tomlarkworthy oh funny I clicked your name here and it directs to http version of your site
#
tomlarkworthy I can't find evidence of SSL being broken (without installing custom certs or throwing errors in the browser)
#
aaronpk yes, on devices managed by a company, the IT department can push custom root certs to the machine, then they can sign a cert for any domain that the computer will trust. this happens all the time, and the end user won't even be aware of it
#
tomlarkworthy yeah thats a custom cert.
#
aaronpk yes, i'm saying it's something the user isn't necessarily aware of and requires no action on their part
#
tomlarkworthy it does they have to use a corporate issued device that is not theirs
#
aaronpk or a personal device that they enrolled in the corporate management system
#
tomlarkworthy thats an action
#
aaronpk yes, either: take an action (once) on their personal device, or no action on a corporate device
#
[tantek] both are very easy for folks to forget they've done
#
[tantek] in what UI did you "click on my name here"?
#
tomlarkworthy "https://chat.indieweb.org/"
#
tomlarkworthy kevinmarks too goes to http
#
tomlarkworthy aaronpk goes to https
#
[tantek] very odd
#
aaronpk i mean it's just pulling from https://indieweb.org/chat-names
#
tomlarkworthy HSTS headers?
#
tomlarkworthy yeah the actual link is "http://aaronparecki.com/"
#
[tantek] aaronpk, chat-names doesn't specify http or https for your personal domain
#
[tantek] so some other code somewhere is making an assumption there
#
aaronpk oh really
#
[tantek] the only explict http(s) is for the icon
#
aaronpk my http redirects to https
#
[tantek] maybe that's a coincidence that you use https for your icon and I don't (editing now)
#
tomlarkworthy yeah it is going to http for aaronpk
#
[tantek] should it though? do we still allow http: IndieAuth logins on the wiki? (we used to right?)
#
aaronpk i'm pretty sure indielogin.com will accept an http url
#
tomlarkworthy yes there was some complex upgrade logic I decided not to prot and jsut accept only https
#
tomlarkworthy not to port
[dianoetic_net] and [tw2113_Slack_] joined the channel
#
tomlarkworthy oh that was indeiauth.com sorry. Some InsecureRedirectErrors
#
tomlarkworthy https://github.com/aaronpk/indielogin.com/issues/24#issuecomment-447553940
#
tomlarkworthy 'indielogin.com will handle the case of users entering a insecure HTTP URI and "upgrading"/redirecting it to a HTTPS one; IIRC. It's been an issue mentioned before in here.' Maybe old though
#
Loqi [jalcine] On Saturday, 15 December 2018 01:20:32 PST fluffy wrote: > It would be nice to reduce the barrier to entry by allowing people to log in > using the identity from the service itself, rather than needing to set up a > profile page with the correct `...
sparseMatrix joined the channel
#
sparseMatrix I've been reading the (propsed) spec here: https://www.w3.org/TR/indieauth/#authentication for most of the day. If this is the working spec, it does say that http should be upgraded to https by the client
#
sparseMatrix It's also fairly permissive of redirects
#
aaronpk This one is more up to date https://indieauth.spec.indieweb.org/
#
sparseMatrix and document URI, vs strictly canonical domains, e.g., 'https://someplace.com/joe.user/joes-hcard.html'
#
sparseMatrix cool, I'll switch over to that @aaronpk
#
sparseMatrix and thanks :D
#
[tantek] point being the links to people in the chat archives could be https
#
[tantek] sparseMatrix, you may want to use example.com for example URLs as even "made-up" examples likely link somewhere you don't intend to
#
vilhalmer anyone have a python rss generation library they like? rfeed seems good given that rss hasn't changed much recently, but figured I'd check
[KevinMarks] joined the channel
#
[KevinMarks] I've done it with jinja2, but that isn't naturally xml compliant
#
[KevinMarks] See what granary uses
[snarfed] joined the channel
#
[snarfed] granary uses https://feedgen.kiesow.be/ . it’s…fine
#
vilhalmer fine is about all I could ask for, heh
[girrodocus] and [dianoetic_net] joined the channel
#
[dianoetic_net] I have webmentions displaying 💃
#
[dianoetic_net] Have we got anything for sending to Bridgy using GitHub actions? Or will I have to get scripty
[Jeremy_Keith] joined the channel
#
[snarfed] it’s an HTTP POST, `curl -d ...' will do it
#
[snarfed] (and congrats on wms!)
samwilson and [chrisaldrich] joined the channel
#
[dianoetic_net] Thanks! I'll have to find a way to grab the right URL to send I suppose.
#
[dianoetic_net] I guess I could IFTTT but somehow that feels like admitting defeat...